package.json vs package-lock.json

npm-package-vs-package-lock

In this article, we will learn about the difference between package.json vs package-lock.json.


package.json vs package-lock.json?

  • package.json:
    • It is used for installing packages in a Node.js project.
    • It is not just for installing the dependencies but also for other purposes like defining project properties, description, author & license information, scripts to run via npm, etc.
    • It keeps the minimum version an application needs.
    • Updating packages using npm install will update changes related to package information in package-lock.json and not in package.json.
      Note: You can read https://techtalkbook.com/package-json-major-minor-and-patch-release to understand how package.json is used to update packages with new updates.

  • package-lock.json:
    • It is solely used for locking dependencies to a specific version.
    • It keeps the exact version of the installed packages so that we can re-install those packages with exact same versions.

How to create package-lock.json?

  • By default, npm generates this file when we run npm install. (applicable for npm version 5 or above).
  • npm below version 5 does not create this file by default and it requires to create it manually using npm shrinkwrap as npm-shrinkwrap.json.
  • If the package-lock.json file already exists then the npm command will update the file with the updated information about the package installed or updated.

Can we disable creating package-lock.json?

Yes, one can choose whether to allow creating this file or not.

  • By setting package-lock=false in ~/.npmrc, one can allow the npm command to not create package-lock.json.
  • If this setting is done globally in the system and wants to create it project-specific then we can pass the option --package-lock with the npm command as npm install --package-lock inside the project.

What if there is no package-lock.json file?

In the package.json file, the caret symbol indicates to install or update the package to the most recent major version.

For example:
Suppose, "grunt": "^0.1.3" is mentioned in the package.json file inside a project and already the package is installed with that version.
Now, if any new update gets available for that package with the version as 0.9.3 and if we run npm install then the package will get updated from version 0.1.3 to 0.9.3.

In the above case, if package-lock.json is not created then it can create a problem in case the updates with version 0.9.3 have any functional issue and that can break the application.


Why package-lock.json?

Long story short: package-lock.json is used to avoid differences in installed dependencies on different environments and generate the same results on every environment.

Let’s see some more details on Why package-lock.json?

  • It is used to lock the dependency with the installed versions so that when someone sets up the application by cloning the codebase either in the local system or during application migration then all the previously installed packages will be installed with the same versions and dependencies.
  • NPM installs exact versions of the package as saved in package-lock.json and ignores the symbol ^ and ~ from package.json so as to avoid installing the latest/updated version of the package which might break the application if the application codebase is not compatible with the updated version of packages.
  • It contains other meta information of packages to save the time of fetching that data from npm when installing any package using npm install.
  • It allows npm to skip repeated metadata resolutions for previously installed packages and hence optimizes the installation process.
  • It allows seeing previous states of node_modules without committing the directory itself.

Conclusion

Because of all the above reasons, we should always commit package-lock.json with our project source code so that future setup of the application will not install any available higher version and will install the packages with versions as recorded in the package-lock.json.

So now I guess you understood the difference between package.json vs package-lock.json and the use of package-lock.json.

  • Do we need both package-lock.json and package.json?
    No, we don’t need both but now we know what can happen if we do not have package-lock.json in our codebase.
  • Do we need package.json?
    Yes, we need package.json, that’s the main file that npm looks for during package installation.
  • Can we have a project with only the package-lock.json?
    No, since npm needs package.json for package installation, package-lock.json alone will not work as that is just a reference for npm to look for while installing the packages with exact versions for packages mentioned in package.json.

I hope you like this article and helps you to solve your problems.

Visit Techtalkbook to find more related topics.


About the Author

Sandeep Agrawal
working @ Kalpavruksh Technologies as Software Engineer. I am a simple and straightforward person adaptable to any environment and work culture. Like to work in a creative and challenging environment using cutting edge technologies where I could constantly learn and successfully deliver solutions to problems.

Be the first to comment on "package.json vs package-lock.json"

Leave a comment

Your email address will not be published.


*


1 Shares
Tweet
Pin1
Share
Share
Share
%d bloggers like this: